I have one Salesforce profile and one permission set in Salesforce. As per the requirement, there are two user personas in our Salesforce application.
Persona 1 -> SF Profile
Persona 2 -> SF Profile + Permission Set
To achieve the above configuration using Azure AD auto-provision, we have created two security groups and added relevant business users into those two groups. Currently, we struggling to determine the best approach on how to assign the Salesforce permission sets to the users in the "Persona 2" user group.
You already have Single Sign-On configured in SF, right? At the bottom of the page there's place for just-in-time (JIT) login handler class.
You'd have to write that class but there are some online examples for ... implements Auth.SamlJitHandler. Once you have the class skeleton ready - use System.debug(JSON.serializePretty(attributes)); or something similar to see what Azure Active Directory sends. Last time I used this AAD couldn't send groups info but it could send role(s). So we determined unique sets of users and if role is X - check if the user has permission set X assigned and if not - assign it. We then expanded it to other SF features (groups, queues, user role, profile...). PermissionSetAssignment is the table you need.
If you don't want to write code for this there's always Identity Connect but that's paid and on-premise agent program (I think). No idea if it can work with AAD. But you'll get simple interface for the mapping.
Related
We're using Active Directory Groups for different customers and their employees. It's straightforward configuring a group accessToken claim for authenticated users. Now, when an app does not act in behalf of a user but in behalf of itself (client_credentials flow), and the app is member in an AD Group, is it possible to configure an accessToken claim for the application's membership? If so, how?
I have tried to configure it in Azure/Active Directory/Token configuration but it gives only the group of users that are authenticated and not that of the app itself.
Thank you.
I think there is a problem with your description. You said in the question: and the app is member in an AD Group. As far as I know, the members of a group can only be users, organization contacts, service leaders or other groups, and there is no application.
I think what you want to say is that you assigned users or groups to the application (please correct me if my understanding is wrong), like this:
As far as I know, there is no group claim for application tokens(The user token has a group claim, as you said in the question),because application is not a member of group.
If you want to get the group assigned to the application, MS graph api is a good choice:
https://graph.microsoft.com/beta/servicePrincipals/{id}/appRoleAssignedTo
You need to replace {id} with Object ID:
My goal is to have the user authenticate with Azure AD and then be presented with a drop-down of profiles they want to access. Based on which profile is selected, the user will have different permissions on the site. I'm trying to avoid a user having to have multiple logins to enforce the different permissions per profile.
Can Azure AD handle this or do I need to tie in custom code in a database?
No, Users have one identity and can have a set of roles on an app.
Well, just one role unless you have group-based role assignment available :)
This concept sounds like something you will have to build in your app.
Or you will have to have multiple users registered for this one person.
As you can see my question above, I was wondering if it is possible to retrieve the assigned groups of an Azure Active Directory (AAD) based user via Microsoft GraphAPI.
My situation is, that I have an ASP.NET MVC project with Microsoft Azure enabled. My goal is, that an Azure user can login on my website with it's Azure account.
The idea is, that an azure user is an admin or an user (depending on the azure groups) and depending of this role group, the user can view more or less of my webpage.
For example:
When Peter logs in with his azure account on my webpage, he should only be able to see:
Add new Document
Edit Document
Remove Document
because he is only assigned as "User" in Azure Active Directory.
But when Sabrina logs in with her azure account on my webpage, then she should be able to do the same as Peter, but she also can see:
Manage Products
Add new customer
etc.
because she is been assigned as an admin in Azure Active Directory.
My problem is, that I did not find out how I retrieve the assigned group of an user with Microsoft GraphAPI. The part, which user can see or not after I got the roles is not a big deal.
I already tried this API call:
https://graph.microsoft.com/v1.0/me/
But it seems, that the response of this call does not include the actual assigned group of that user.
Do you think it is possible to retrieve the assigned group of an azure user? Is this even possible? Or do I have to do something else to retrieve these information?
I hope you understand my point and I am also looking forward for any response. Thanks in advance!
Add /memberOf to the URL to receive the groups a user is member of.
https://graph.microsoft.com/v1.0/me/memberOf
Here's a link to the specific graph api - https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/user_getmembergroups
Take a look at this sample application on Github. It does something very similar with a task tracker application, where different users are able to perform different actions based on the group they belong to -
https://github.com/Azure-Samples/active-directory-dotnet-webapp-groupclaims/blob/master/README.md
Also, in cases where a user is a member of too many groups, you get back an overage indicator and have to make a separate call to get all groups. Read about “hasgroups” and “groups:src1” claims here - https://learn.microsoft.com/en-us/azure/active-directory/develop/v1-id-and-access-tokens
According to your system architecture, if some user has too many joined groups, the API https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/user_getmembergroups will return too many groups.
But if the groups with permissions in your system are not too much, you can use this API: https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/user_checkmembergroups to check if the current user is the member of specified groups.
It is not good idea to use this API: https://graph.microsoft.com/v1.0/me/memberOf. Because it returns only the groups that the user is a direct member of, but security group can be member of security group.
I can Authenticate user in Active directory but I need to know can we authenticate a specific user in group if we have multiple groups.
Basically I am redirecting to http://[mydirectory].onmicrosoft.com and validating the user but I need to know do we have mechanism to validate a user from specific group so that I can give access according to that.
Assuming this is Azure AD (and not on-premises Windows Server AD), then you have three options to restrict access to an application via groups.
Option 1: Require user/group assignment to application
This is the only option that does not require adding authorization logic in your application.
When configuring your application in the classic Azure portal, you can set the application to require user assignment:
Then, under "Users and Groups" for that application, you can choose which individual users or groups should have access to the application.
The most important thing to consider here is that this will only apply to direct members of the group, not to nested members.
Option 2: Request group claims
This option will allow you to request that the token returned to the application after a user has signed in contain the list of groups that the user is a member of. This includes groups that they are transitive members of (i.e. nested groups).
From your application's configuration page in the classic Azure portal, you can download and upload the app's manifest JSON file. In the manifest, locate the "groupMembershipClaims" attribute, and set it to "All" or "SecurityGroup" (the latter will exclude distribution lists).
Once this is set, after the user signs in, the resulting token will have a groups claim that contains a list of group object IDs that the user is a member of. Your application can then use these claims to decide whether or not the user should have access.
Dushyant Gill goes into group claims in detail in his blog post: http://www.dushyantgill.com/blog/2014/12/10/authorization-cloud-applications-using-ad-groups/ (archive.org link)
The important consideration here is that there is a limit to the number of groups that can be returned. If the user is a member of more groups that this limit, then an "overage" claim is issued, and your application will need to make an Azure AD Graph API call to get the full list. (This is also described in Dushyant's blog post.)
Option 3: Use the the Microsoft Graph API or the Azure AD Graph API directly
The final option is to simply call the Microsoft Graph API (or the Azure AD Graph API, they both act almost identically for this) to establish if the signed in user is a member of a given group. Your application can then make the authorization decision.
There are several approaches you can take (these are all transitive checks, so nested groups are supported):
isMemberOf to check whether a the user is a member of a specified (single) group. This is the simplest if a single group should grant access to your app.
checkMemberGroups to check if the user is a member of any groups in a list of groups. This is useful if different groups grant different roles or permissions in your application.
getMemberGroups to return the full list of groups the user is a member of. This is generally not particularly useful for doing authorization checks.
I have an Azure Active Directory Application (and associated Service Principal). That Service Principal needs to be able to add and remove members from an Azure Active Directory Group...so I have added Read and write directory data under Application Permissions:
And I have code that uses the Client ID and Client Secret to get an Authentication Token an perform these operations using the Azure Graph API.
However, this permission is far too broad. I need the Application/Service Principal to only have the ability to add and remove members from specific groups (not all)...and not the ability to perform other types of operations.
Is there a way to do this?
Thank you.
There is a preview feature that partly fits your requirement: "Group.ReadWrite.All". It lets your principal create and update groups and their navigation properties (incl. members). It does not however reduce the permissions to modify only certain groups.
AAD permission scopes are described here: https://msdn.microsoft.com/Library/Azure/Ad/Graph/howto/azure-ad-graph-api-permission-scopes
Preview features may be subject to change and you'll have to agree to reduced service terms etc.: https://azure.microsoft.com/en-us/services/preview/